OpenStack Hardening Security for Open Source Cloud Platform

PORTLAND: Security is improving in the open source OpenStack cloud platform, but more work is needed and is still being done. That's the message coming from the recently formed OpenStack Security Group (OSSG) at the OpenStack Summit in Portland this week.

OpenStack is a multi-stakeholder effort with broad participation from some of the biggest IT vendors in the world, including IBM, Dell, HP, Intel, Cisco and AT&T, as well as Linux vendors Red Hat, SUSE and Canonical. It is being deployed by well-known companies such as BestBuy, eBay, Comcast and Bloomberg.

Six months ago at the OpenStack Summit in San Diego, OSSG members Bryan Payne, who works for Nebula, and Robert Clarke, cloud security architect at HP, detailed what they saw as points of concern in OpenStack. At a session in the Portland OpenStack Summit on Thursday, Payne and Clarke were back, updating the community on the progress that has been made.

For one, the OSSG is more organized and operational than it was six months ago. The group now has about 30 members. It has set up a page on the Landscape tracking system to serve as a portal for information about the group's activities. The OSSG hosts weekly meetings on Internet Relay Chat (IRC), every Thursday at 1 p.m. ET, and posts all of the meeting minutes online.

OpenStack Security Notes

The group has also expanded the type of security guidance it offers, with a new initiative called Security Notes (OSNs).

"OpenStack Security Notes exist to guide users and implementers of OpenStack through various security 'pain-points'," the launchpad site states. "Security Notes do not directly address vulnerabilities in OpenStack."

Clarke noted that vulnerabilities are still handled by the OpenStack Vulnerability Management Team (VMT). The goal of the OSNs is to provide guidance and security best practices, Clarke said, adding that OSNs suggest the right direction for secure deployment and operation.

The OSSG is also working on a full scale OpenStack Hardening Guide that will build on OSN information. The plan for writing the guide is to get 10 to 15 OpenStack security experts into a room to hammer it out, Payne noted. The OSSG hopes to do this in June.

"Our hope is that next time, we will have an actual document to show you," Payne said.

Security Improvements on Way

At the San Diego Summit, Payne was critical of HTTPS/SSL support on the client side in OpenStack. He reports that over the last six months, work has been done to fix the situation by using Python requests. OpenStack is written in the open source Python language. Payne noted that the new improvements for HTTPS support mean that people will be able to deploy clouds in a more secure manner.

As part of the next major upgrade of OpenStack, codenamed Havana and set for release in six months, security will be top of mind. Payne noted that the plan is for Havana to have transparent encryption of data at rest, which will be a major boost for security.

While progress has been made on OpenStack security, much remains to be done. "It's not all roses," Clarke said.

Clarke said he has noticed a gap between those with OpenStack experience and those with security experience. That situation can sometimes make it difficult to get the right fix through to the right part of the project, he said.

Clarke stressed that the OSSG is trying to orchestrate security where needed across the OpenStack platform. For instance, it is looking at ways to do automated code review."We expect to have some cool stuff to show at some point in the future," he said.

Both Clarke and Payne are looking for more help in the OSSG to help continue to improve security for the open source cloud project.

"This is a rallying cry," Clarke said. "If you do have something to contribute, we'd love to have you on board and improve the product for the next summit."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.